WordPress Anniversary: WordPress and Evil

As I look back on the ten years of WordPress, there is a dark side to blogging. While many blamed WordPress for the evil, like guns, WordPress doesn’t cause evil, people cause evil.

In fact, WordPress, Automattic, and the WordPress Community has fought longer and harder against the evil doers in the world than most realize. I thought I’d take a moment in my look back at the history of WordPress on this 10th anniversary year to share some of the dark side of the blogging force as related to WordPress.

This is a celebration of the courage, faith, and determination of the WordPress Community to not let the evil win.

The Battle Against Bitacle, Scrapers, and Sploggers

Many blamed WordPress for making it easy to scrape (copy) our site feeds and plagiarize and steal our content. WordPress didn’t make it easier, the improvement in feed technology made it easier, but many still blamed WordPress.

Bitacle has become Public Enemy #1 this weekend in some parts of the blogosphere. As I reported earlier, the Spain-based splogger scrapes your content (your Creative Commons deed be damned), monetizes it, keeps the cash — and refuses to answer email complaints. I called them “thieves” in my first post, and I am repeating the charge here. Bitacle’s boss, the magnificently misnamed Jesus Angelo “But call me Ladrón, honey” Glez, is a thief.

…Bitacle, while not replying to anyone’s mails, as far as I can see, seems to be aware they are under attack. They’ve been down much of the weekend, and they have (today) started including the URL to the content they steal. Nevertheless, they are still ripping off and re-purposing content, without permission, for their own financial gain. Worse, they still encourage comments to the stolen blog posts on their site in an attempt to dupe readers into believing they are seeing a “real” blog.

We weren’t talking about a single site copying your content because they didn’t know any better. We were fighting back against a site with thousands of sites’ feeds generating content and income for them from advertising on that content. Instead of finding your article on your site, search engine users would find your article on Bitacle looking like it was theirs, complete with open comments. I found several people commenting on my articles on Bitacle instead of on my site where the real conversation was happening.

With the many voices calling out for help, many led by the fantastic work of Jonathan Bailey who came up with a plan of action for us to follow, Bitacle changed their copyright notice to claim the article authors retained their copyrights, which didn’t work for any of us. Just because we own our copyright, which we do, no one can use our content without our permission in any way we say is not acceptable, which means they cannot just take our content, slap ads on it, and make money from it without our express permission.

Autoblogging Scrapers and Splogs

Bitacle was built on the back of WordPress Plugins that permitted our content to be taken via feeds and used and abused. The battle against scrapers and sploggers, those using our content on their sites via our feeds, continues. Feed scraping is not specific to WordPress as any site with feeds is vulnerable.

In the early years of WordPress, a well intentioned web designer and developer, Elliott Back, created a powerful WordPress Plugin that was simple in concept but easily exploited. Called WP Autoblog, it was designed to aggregate multiple sites and display their most recent posts on the front page of a WordPress installation, bringing together the content to a single feed stream. Elliott Back did this for his family members so he could consolidate all their sites into a one stop viewing spot.

The evil doers of the web saw the potential of grabbing content from their many sites and generating new sites with the mixed content but didn’t stop there. They realized they could make money on other people’s content, relieving themselves of the burden of generating their own, and fill it with advertising, especially Google Adsense ads.

Elliott quickly became the target of angry bloggers as the Plugin displayed his credit line to the Plugin at the bottom of every post. They held him responsible for suffering with content thieves and scrapers. He tried to defend himself, sometimes successfully, sometimes defensively, and eventually he chose to close down WP Autoblog saying:

This software is PERMANENTLY ON HOLD. Go use Feedwordpress, you vile spammers, or the recently announced WP o’ Matic. I will not provide this plugin, or anything like it, because the potential for abuse is way too high.

I am not [a spammer], and I encourage you to go after anyone abusing this with a DMCA notice…I’ve had my own sites ripped off by people abusing this plugin, and filed dozens of DMCA notices against spammers. In the web 2.0 world, information is money, and there are far too many people – often located outside of the US – who want to rip off your work, rather than writing for themselves.

He’s right, but it isn’t limited to those outside the United States. Evil doers are everywhere.

I feel bad for Elliott. He was right when he said repeatedly that someone would have eventually come up with such a WordPress Plugin, he just happened to be one of the first. He never dreamed his Plugin would be so abused, nor did any of us who thought this was a cool idea at first. Even today I use WordPress Widgets to bring in the feed stream from my various sites into this site’s sidebar. It is not misrepresented as content, but is based on the same theory, cross-marketing and promoting content across websites.

This technique of bringing in content from other sites to a single site continues today with other WordPress Plugins and third-party apps. The laws state that credit must be given to the source, and that excerpts meeting Copyright Law Fair Use may only be used, but this doesn’t stop the abuse.

We stop the abuse by educating everyone about copyright laws and being clear and specific about what our copyright policies are on our site. Just putting the copyright notice on your site isn’t enough. You need to be specific with what you will or will not allow. The web is a copycat space, so be clear about what you want copied or not.

The Fight Against Comment Spam

Akismet is one of the best tools in the world to battle well against comment spam.

Produced by Automattic, the commercial side of the WordPress collecton of businesses, it isn’t restricted to WordPress-only sites. It is available for over a dozen publishing platforms, forums, wikis, and more. Released in 2005 on WordPress.com, it joined two other powerful comment spam fighters, Bad Behavior and Spam Karma 2, taking the best of the two and adding even more.

Akismet works through crowd-sourcing models. The user does not delete the comment spam, just marks it as spam and the comment spam information is added to a huge database which monitors and tracks comment spam from WordPress sites around the world. If enough people mark spam as spam, it is flagged and filtered out of your comment queue automatically.

In 2006, Akismet added an odometer to the WordPress Comments panel keeping score of the number of comment spam. Mine read 50,000 comment spam caught since October 2005. Once after two weeks of traveling, I came back to my site to find it had caught over 12,000 comment spams for me! That’s serious protection. My funniest Akismet moment is when the score read 12,341 caught, a screen capture moment for me!

Before Akismet, I used to spend an hour or more a day going through comment spam and deleting them. Even after Akismet was released, it didn’t have the strong false/positive record it has today, so time was still spent sifting through spam comments looking for the falsely accused. Overwhelmed with the time suck it created, my friend, Engtech, created the Akismet Auntie Spam Firefox-Greasemonkey Page Viewing Script which I used for years to make the process faster and streamlined, limiting my exposure to the crap found in comment spam to a minimum. I still wish Akismet would use that script to improve readability for those still wishing to scan through the spam.

Akismet is now so good, I haven’t looked at that page more than a few times a year now. It saves me hours a day or worry and wasted time, and continues to do the hard work in stopping my site from being flooded with comment spam. Sure, I take a few minutes every day to clean the spam out that gets through, usually new types of spam, and only so much can be done to battle the human spammers now representing a majority of comment spammers worldwide. When my site is slammed by thousands of comment spammers daily, I can’t live without Akismet.

Over the years I’ve celebrated and honored so many of the WordPress Community who have stood up and fought against evil on the web. Today, some of these are employees of Automattic, while others continue to volunteer their time and expertise without compensation.

There are those who stand up and say don’t risk your site with an unofficial WordPress Theme as many were stuffed with hidden or blatant advertising links, spam links, and security vulnerabilities. Automattic cleaned up the WordPress Theme Directory (formerly the WordPress Theme Viewer) to remove all “sponsored” and risky Themes. The debate over sponsored, premium, and freemium WordPress Themes continues even today as people try to make money from every angle in WordPress. It took strong people to stand up to the greedy and say this wasn’t right.

There are those who report malware in WordPress Themes, digging deep into the code to reveal the mechanics of such nasties. They help us to understand how these things work, and how to prevent them from working in the future, as well as blocking all access. It’s a full-time job some days.

The volunteers and employees of WordPress.com fight to protect our millions of blogs constantly, 24/7, against hackers and malicious attacks. WordPress.com is tested and updated daily to protect it from such attacks, yet few stop and say thank you and show our appreciation for the effort while we blog freely on every subject under the sun. I thank you all in my heart daily, as should we all.

Then there are faceless heroes of WordPress, the ones rarely celebrated or honored who work hard to make WordPress better, uncovering and fixing security vulnerabilities and improving the code with every update and release. In 2007, Ozh developed a WordPress Bug Fixers Heat Map, a tag cloud effect honoring the names of contributors to WordPress development, the larger the name, the more they are listed in the WordPress Trac, the code management system of WordPress.

The WordPress Community has developed WordPress Plugins to track and prevent content theft and copyright infringements, comment spam, registration spam, hacks, malware, viruses, personal attacks, malicious SEO, and other abuses.

From the very beginning of WordPress, community members have stepped up to create WordPress Plugins and Themes that help to defend the blogger’s rights from evil. There are so many, I feel guilty that I will miss a few so deserving of credit and recognition. I will include highlights of some of the articles I’ve published over the years about the fight to protect bloggers and WordPress from evil, and forgive me if I missed anyone. You all deserve our heartfelt thanks and appreciation for all that you have done for the millions of WordPress users.

5 Comments

Question: Why, oh why, does WordPress not allow an option to clean up and delete followers from our follower list? I have two in my list right now that are clearly some kind of advertisement page and not a true blog. I’ve thought from the start they might be following in order to grab up and reuse my blogs (not that anyone is knocking down their doors to read my blog, but hey, there could be some rather smart individual out there that thinks I write okay! lol). Am I missing something or is there a way to clean up the list? Also, is there a way to block certain followers?

Follower lists? Among all the evil…LOL. Sorry for the giggle, and sorry this annoys you. Following your site actually is non-invasive to you and your site, and the least of your worries. It actually causes trouble for the subscriber.

Followers in WordPress.com are basically subscribers. They get email announcements of all new posts you’ve written delivered to their inbox, clogging it up. Such actions are spammy but they can’t do much with your content or with the automatically generated emails. They are usually human spammers who don’t know the difference. No money is made, no extra work for your site, and if they don’t want to subscribe, they can unsubscribe.

Because they are not members of your site, not contributors, authors, editors, or administrators, they have no access to your site’s administration or code. Follow subscriptions are voluntary and the responsibility of the subscriber.

If you are suspicious, click their username and check out their gravatar profile and the links to their site(s). If they are spammy and on WordPress.com, use the Report Abuse link in the admin bar at the top of the site when logged in to report them. Let WordPress.com staff check them out. If they turn out to be spammy, they will shut down their site. You can also report abuse to Gravatar.

Currently, I’ve found no way to block followers, but you can use the Settings > Discussion security features to block commenters. If they are legitimately abusive or violating the terms of service for WordPress.com, report them. Let them play police.

It is easy to get confused and worry about followers. It’s exciting when you get the first few. You feel like you want to personally get to know them, thank you for paying attention, and continue a conversation. Don’t. Make what you publish speak start the conversation on your site. Following a site means the follower gets an email notification of new content. They may pay attention, delete it, or have it filtered out. How would you know? Pay attention to those who actively participate on your site. That’s where the fantastic energy needs to be focused. Thanks!

Thanks for the response, Lorelle. I’m going to crawl under a rock now and try to understand all you’ve pointed out. 😉

“… check out their … links to their site(s). If they are spammy…”
This spawns a different question… I dislike going to websites I don’t inherently trust and I feel like the intention of these potentially spammy follows is to get you to go to their page as you investigate. My security radar says not to check out their address in the followers list, but that’s assuming that viruses or malware can exist within WordPress. Can it? If nothing else, I feel like they are simply getting me to go there just to increase the counter on their ‘hits’ for Adsense or to trick you into checking out an advertisement page for a business. Do either of these qualify for a claim of ‘Abuse”, or are they just opportunist? (Either way, it makes me feel scuzzy that they are following me.)

Otherwise, I get what you’re saying. Vulnerability is part of the package when putting ourselves out there on the blogging scene. Understand it and get over it. Got it. 🙂

There are many ways to interact with a website, and I talk about many of these in my blog exercises this year. Followers, however, are lowest on the worry level.

“Following” in WordPress means the “subscriber” gets email notifications from your site when you publish new content. Your site on WordPress.com appears in the “My Blogs” global dashboard list so they can easily monitor what you recently published. There is no “follow” for non-WordPress.com sites (self-hosted WordPress sites) as this is a feature of WordPress.com.

As followers have no access to your site, the worry of viruses and malware is not a worry for your site. Clicking their links might lead the visitor astray, but honestly, how often do you click a follower’s link? Well, you do, but most people don’t.

If this concerns you and you feature site followers on your site through widgets and such, I recommend you contact WordPress.com and ask them to provide filtering, blocking, and removal of followers by site administrators. WordPress.com followers are fairly safe as they cannot put bad stuff on their sites and sites are monitored for security risks, but outside of that safe environment…maybe this is a good idea. Talk to them.

As for how this makes you feel – consider why you are focusing on this, Susan. There are more dangerous things out there. Some of it intentional, some not. A friend just sent out an announcement that she has a new email address featuring her full name and birth year. I wrote her back immediately and advised her to change it immediately as she just gave two pieces of personal information out risking identity theft. Sometimes we are just stoopid and put ourselves at risk, too. Stop looking at your followers list and focus on your commenters. Those are the ones who put the real energy into your site!

Back in 2009 or so, you blogged that WordPress.com responded to formal DMCA complaints against their bloggers who have improperly taken content within 1 or 2 business days following a formally filed DMCA complaint. It is reasonable to assume that your information may now be somewhat dated.

As a WordPress.com insider, can you update us as to what the current response protocol and current response time from WordPress.com is for such formally filed DMCA complaints against their bloggers?

3 Trackbacks/Pingbacks

[…] a target,” a WordPress friend said, asking not to be identified. This doesn’t mean WordPress isn’t vulnerable. It means that WordPress isn’t always the only thing in the blame game, a game I find […]

[…] and ethics in web publishing. In the early years of WordPress.com, an unethical company known as Bitacle ripped off thousands of WordPress.com blogs and republished their content on their sites, arguing that they had the right to use our feeds for […]